Member Panel

Remember me ?

Forgot password?   

Sponsors and Ads

Noticeboard
PC Forum PC Help Forum » Security & Safety » [Fixed] Hijackthis! Logs » Trojan and spyware (i guess)

[Fixed] Hijackthis! Logs - Trojan and spyware (i guess) posted in the Security & Safety forums; Hi there, here is a problem, Avenger doesn't support Vista....

JOIN US NOW to remove these Ads

Post New Thread  Reply
Page 2 of 3 < 1 2 3 >
  #8  
Old 02-15-2008
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Hi there, here is a problem, Avenger doesn't support Vista.
  #9  
Old 02-15-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,590
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Sorry.Dont know why I put Avenger in there.I know its no good with Vista.




Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:


File::
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #10  
Old 02-17-2008
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
combofix log

ComboFix 08-02-17.2 - Si Lai 2008-02-17 11:22:47.2 - NTFSx86
執行位置?: C:\Users\Si Lai\Desktop\ComboFix.exe
Command switches used :: C:\Users\Si Lai\Desktop\CFScript.txt.txt
FILE ::
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
.
(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sqmdata01.sqm
C:\sqmnoopt01.sqm
.
(((((((((((((((((((((((((((( 2008-01-17 - 2008-02-17 之間建立的檔案 )))))))))))))))))))))))))))))))))
.
2008-02-17 11:09 . 2008-02-17 11:09 268 --ah----- C:\sqmdata07.sqm
2008-02-17 11:09 . 2008-02-17 11:09 244 --ah----- C:\sqmnoopt07.sqm
2008-02-12 22:15 . 2008-02-12 22:15 268 --ah----- C:\sqmdata06.sqm
2008-02-12 22:15 . 2008-02-12 22:15 244 --ah----- C:\sqmnoopt06.sqm
2008-02-12 18:10 . 2008-02-12 18:10 268 --ah----- C:\sqmdata05.sqm
2008-02-12 18:10 . 2008-02-12 18:10 244 --ah----- C:\sqmnoopt05.sqm
2008-02-10 11:58 . 2008-02-10 11:58 268 --ah----- C:\sqmdata04.sqm
2008-02-10 11:58 . 2008-02-10 11:58 244 --ah----- C:\sqmnoopt04.sqm
2008-02-09 14:00 . 2008-02-09 14:00 268 --ah----- C:\sqmdata03.sqm
2008-02-09 14:00 . 2008-02-09 14:00 244 --ah----- C:\sqmnoopt03.sqm
2008-02-09 09:20 . 2008-02-09 09:20 268 --ah----- C:\sqmdata02.sqm
2008-02-09 09:20 . 2008-02-09 09:20 244 --ah----- C:\sqmnoopt02.sqm
2008-02-08 21:23 . 2008-02-08 21:23 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\Apple Computer
2008-02-08 21:23 . 2008-02-08 21:23 <DIR> d-------- C:\Program Files\iTunes
2008-02-08 21:23 . 2008-02-08 21:23 <DIR> d-------- C:\Program Files\iPod
2008-02-08 21:23 . 2008-02-08 21:23 54,156 --ah----- C:\Windows\QTFont.qfn
2008-02-08 21:23 . 2008-02-08 21:23 1,409 --a------ C:\Windows\QTFont.for
2008-02-08 21:10 . 2008-02-08 21:23 <DIR> d-------- C:\Users\All Users\Apple Computer
2008-02-08 21:10 . 2008-02-08 21:23 <DIR> d-------- C:\ProgramData\Apple Computer
2008-02-08 21:10 . 2008-02-08 21:11 <DIR> d-------- C:\Program Files\QuickTime
2008-02-08 21:10 . 2008-02-08 21:10 <DIR> d-------- C:\Program Files\Apple Software Update
2008-02-08 21:09 . 2008-02-08 21:09 <DIR> d-------- C:\Users\All Users\Apple
2008-02-08 21:09 . 2008-02-08 21:09 <DIR> d-------- C:\ProgramData\Apple
2008-02-08 21:09 . 2008-02-08 21:09 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-02-08 15:25 . 2008-02-08 16:18 <DIR> d-------- C:\SDFix
2008-02-06 18:28 . 2008-02-06 18:28 <DIR> d-------- C:\Program Files\CCleaner
2008-02-05 17:10 . 2008-02-05 17:10 <DIR> d-------- C:\Users\Si Lai\Music
2008-02-01 16:00 . 2008-02-01 16:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 15:37 . 2008-02-01 15:37 <DIR> d-------- C:\VundoFix Backups
2008-02-01 15:32 . 2008-02-01 15:35 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-01 15:32 . 2008-02-01 15:35 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-01 15:32 . 2008-02-01 15:32 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-30 23:52 . 2008-01-30 23:52 <DIR> d-------- C:\Users\All Users\FLEXnet
2008-01-30 23:52 . 2008-01-30 23:52 <DIR> d-------- C:\ProgramData\FLEXnet
2008-01-30 12:56 . 2007-12-10 14:53 81,288 --a------ C:\Windows\System32\drivers\iksyssec.sys
2008-01-30 12:56 . 2007-12-10 14:53 66,952 --a------ C:\Windows\System32\drivers\iksysflt.sys
2008-01-30 12:56 . 2007-12-10 14:53 41,864 --a------ C:\Windows\System32\drivers\ikfilesec.sys
2008-01-30 12:56 . 2007-12-10 14:53 29,576 --a------ C:\Windows\System32\drivers\kcom.sys
2008-01-30 12:55 . 2008-01-30 12:55 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\PC Tools
2008-01-30 12:55 . 2008-02-06 18:16 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-01-30 12:36 . 2008-01-30 12:36 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\PCToolsFirewallPlus
2008-01-30 12:33 . 2008-02-17 11:20 <DIR> d-a------ C:\Users\All Users\TEMP
2008-01-30 12:33 . 2008-02-17 11:20 <DIR> d-a------ C:\ProgramData\TEMP
2008-01-30 12:31 . 2008-02-06 19:12 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2008-01-30 12:31 . 2008-01-30 12:31 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-01-30 12:31 . 2008-01-04 14:13 218,520 --a------ C:\Windows\System32\drivers\pctfw2.sys
2008-01-30 12:31 . 2008-01-04 14:13 125,848 --a------ C:\Windows\System32\drivers\pctfw.sys
2008-01-30 12:31 . 2008-01-04 14:13 40,856 --a------ C:\Windows\System32\drivers\pctmp.sys
2008-01-30 12:31 . 2008-01-04 14:13 18,328 --a------ C:\Windows\System32\drivers\pctssipc.sys
2008-01-27 22:12 . 2008-02-17 11:09 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\AVG7
2008-01-27 22:08 . 2008-01-27 22:08 <DIR> d-------- C:\Users\All Users\Grisoft
2008-01-27 22:08 . 2008-01-27 22:14 <DIR> d-------- C:\Users\All Users\avg7
2008-01-27 22:08 . 2008-01-27 22:08 <DIR> d-------- C:\ProgramData\Grisoft
2008-01-27 22:08 . 2008-01-27 22:14 <DIR> d-------- C:\ProgramData\avg7
2008-01-27 22:08 . 2008-01-27 22:08 9,216 --a------ C:\Windows\System32\avgwlntf.dll
2008-01-27 18:53 . 2008-01-30 22:32 <DIR> d-------- C:\Users\Si Lai\AppData\Roaming\Free Download Manager
2008-01-27 18:53 . 2008-01-27 18:53 <DIR> d-------- C:\Program Files\Free Download Manager
2008-01-26 14:20 . 2008-01-26 14:20 67 --a------ C:\Windows\DVDRegionFree.INI
2008-01-26 14:17 . 2008-01-26 14:17 <DIR> d-------- C:\Program Files\DVD Region+CSS Free
.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-17 11:21 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-12 22:13 49,416 ----a-w C:\Users\Si Lai\AppData\Roaming\nvModes.dat
2008-02-08 21:22 --------- d-----w C:\Program Files\Bonjour
2008-01-28 18:34 --------- d-----w C:\Program Files\7-Zip
2008-01-26 13:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 02:39 30,464 ----a-w C:\Windows\system32\drivers\usbaapl.sys
2008-01-10 05:01 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 20:13 802,816 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-01-09 20:13 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-01-09 20:13 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-01-09 20:13 216,760 ----a-w C:\Windows\system32\drivers\netio.sys
2008-01-09 20:13 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-01-09 20:11 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 20:11 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 20:11 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 20:11 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 20:11 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 20:11 1,686,016 ----a-w C:\Windows\System32\gameux.dll
2008-01-09 20:10 45,112 ----a-w C:\Windows\system32\drivers\pciidex.sys
2008-01-09 20:10 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 20:10 21,560 ----a-w C:\Windows\system32\drivers\atapi.sys
2008-01-09 20:10 17,464 ----a-w C:\Windows\system32\drivers\intelide.sys
2008-01-09 20:10 154,624 ----a-w C:\Windows\system32\drivers\nwifi.sys
2008-01-09 20:10 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 20:10 109,624 ----a-w C:\Windows\system32\drivers\ataport.sys
2008-01-09 20:10 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-09 20:10 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 18:28 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-06 14:40 --------- d-----w C:\ProgramData\Lavasoft
2008-01-06 14:40 --------- d-----w C:\Program Files\Lavasoft
2008-01-06 14:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-06 06:08 --------- d-----w C:\ProgramData\Age of Empires 3
2008-01-06 05:35 --------- d-----w C:\Program Files\Common Files\Microsoft Games
2008-01-06 04:42 --------- d-----w C:\Program Files\Microsoft Games
2008-01-03 04:39 --------- d-----w C:\Users\Si Lai\AppData\Roaming\Ahead
2008-01-03 03:42 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-03 02:37 --------- d-----w C:\ProgramData\CyberLink
2008-01-03 02:36 --------- d-----w C:\Users\Si Lai\AppData\Roaming\CyberLink
2008-01-03 02:21 685,816 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-01-02 14:43 --------- d-----w C:\Program Files\Equis
2008-01-02 14:43 --------- d-----w C:\Program Files\Common Files\Equis
2008-01-02 07:17 --------- d-----w C:\Program Files\Real
2008-01-02 07:17 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-02 07:17 --------- d-----w C:\Program Files\Common Files\Real
2008-01-01 12:06 --------- d-----w C:\Program Files\Trojan-PSW_Win32_Delf_sl_Remover
2007-12-30 12:33 --------- d-----w C:\Users\Si Lai\AppData\Roaming\Lingoes
2007-12-29 14:04 --------- d-----w C:\Program Files\Lingoes
2007-12-29 13:54 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-29 13:33 --------- d-----w C:\Users\Si Lai\AppData\Roaming\AdobeUM
2007-12-29 08:39 --------- d-----w C:\Users\Si Lai\AppData\Roaming\Media Player Classic
2007-12-29 08:38 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-29 08:35 --------- d-----w C:\Program Files\BulletProofSoft.com
2007-12-29 08:24 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-29 08:11 36,864 ----a-w C:\Windows\System32\QCKEY32.DLL
2007-12-29 07:57 4,994,717 ----a-w C:\Windows\System32\q9data.bin
2007-12-29 07:52 --------- d-----w C:\Program Files\RISEDICT
2007-12-29 07:51 --------- d-----w C:\Program Files\CHDICT
2007-12-29 07:49 65,536 ----a-w C:\Windows\System32\qcSkinMakerDll.dll
2007-12-29 07:49 57,396 ----a-w C:\Windows\System32\Q9xpb5u.EXE
2007-12-29 07:49 47,252 ----a-w C:\Windows\System32\Qcbeigbk.bin
2007-12-29 07:49 4,236,288 ----a-w C:\Windows\System32\q9xpb5.exe
2007-12-29 07:49 35,328 ----a-w C:\Windows\System32\qseteudc.exe
2007-12-29 07:49 29,514 ----a-w C:\Windows\System32\QCBEIB5.BIN
2007-12-29 07:49 103,840 ----a-w C:\Windows\System32\q9wave16.exe
2007-12-29 07:49 --------- d-----w C:\Program Files\Q9XPB5
2007-12-29 07:48 90,162 ----a-w C:\Windows\System32\doime.exe
2007-12-29 07:48 65,536 ----a-w C:\Windows\System32\SkinMakerDll.dll
2007-12-29 07:48 29,516 ----a-w C:\Windows\System32\q9b5gb.bin
2007-12-29 07:48 26,112 ----a-w C:\Windows\System32\QTRAYIME.EXE
2007-12-29 03:40 --------- d-----w C:\Users\Si Lai\AppData\Roaming\ArcSoft
2007-12-29 03:03 --------- d-----w C:\Program Files\BitComet
2007-12-28 15:32 --------- d-----w C:\Program Files\Windows Defender
2007-12-28 15:32 --------- d-----w C:\Program Files\Windows Calendar
2007-12-28 15:14 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-12-28 15:13 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2007-12-28 15:13 376,320 ----a-w C:\Windows\System32\winsrv.dll
2007-12-28 15:12 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-12-28 15:12 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-12-28 15:12 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-12-28 15:11 86,016 ----a-w C:\Windows\System32\icfupgd.dll
2007-12-28 15:11 63,488 ----a-w C:\Windows\system32\drivers\mpsdrv.sys
2007-12-28 15:11 61,952 ----a-w C:\Windows\System32\cmifw.dll
2007-12-28 15:11 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-12-28 15:11 396,800 ----a-w C:\Windows\System32\MPSSVC.dll
2007-12-28 15:11 392,192 ----a-w C:\Windows\System32\FirewallAPI.dll
2007-12-28 15:11 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-12-28 15:11 23,040 ----a-w C:\Windows\system32\drivers\tunnel.sys
2007-12-28 15:11 178,688 ----a-w C:\Windows\System32\iphlpsvc.dll
2007-12-28 15:11 16,896 ----a-w C:\Windows\System32\wfapigp.dll
2007-12-28 15:11 15,360 ----a-w C:\Windows\system32\drivers\TUNMP.SYS
2007-12-28 14:44 174 --sha-w C:\Program Files\desktop.ini
2007-12-28 14:34 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2007-12-28 14:32 82,432 ----a-w C:\Windows\system32\drivers\sdbus.sys
2007-12-28 14:32 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-28 14:31 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-28 14:31 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-28 14:30 57,856 ----a-w C:\Windows\System32\SLUINotify.dll
2007-12-28 14:30 566,784 ----a-w C:\Windows\System32\SLCommDlg.dll
2007-12-28 14:30 39,936 ----a-w C:\Windows\System32\slcinst.dll
2007-12-28 14:30 351,232 ----a-w C:\Windows\System32\SLUI.exe
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))) )))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 20:10 1232896]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 03:35 5724184]
"Lingoes"="C:\Program Files\Lingoes\Translator2\Lingoes.exe" [2007-12-06 20:57 1933312]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-01-03 02:28 4608]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36 201728]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-28 15:13 1006264]
"Unattend0000000001{C1C65770-BE5F-4D51-8681-EF44DA75AE36}"="wscript.exe" [2006-11-02 09:46 135168 C:\Windows\System32\wscript.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-04-28 11:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-04-28 11:05 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray. dll" [2007-04-28 11:05 81920]
"RtHDVCpl"="RtHDVCpl.exe" [2007-05-04 08:56 4452352 C:\Windows\RtHDVCpl.exe]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-19 08:49 861744]
"Q-HotkeyMgr"="C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe" [2007-03-30 02:26 237673]
"QShot"="C:\Program Files\BenQ\QShot\QShot.exe" [2007-04-13 02:14 421888]
"BenQSurround"="C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe" [2007-04-20 03:33 1187840]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 07:10 56928]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 14:55 54832]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 07:40 155648]
"Q-MediaBar"="C:\Program Files\BenQ\Q-MediaBar\QBar.exe" [2007-01-26 00:49 159744]
"Unattend0000000001{DD273B8B-BEE0-4F62-83E5-9E21F47874A1}"="wscript.exe" [2006-11-02 09:46 135168 C:\Windows\System32\wscript.exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 23:00 33648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-02 07:17 185896]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 22:08 579072]
"00PCTFW"="C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" [2007-12-31 09:16 2594712]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-27 22:08 219136]
C:\Users\Si Lai\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
九方快速啟動.lnk - C:\Windows\System32\QTRAYIME.EXE [2007-12-29 07:48:58 26112]
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-27 22:08 9216 C:\Windows\System32\avgwlntf.dll
R1 pctfw2;pctfw2;C:\Windows\System32\drivers\pctfw2.s ys [2008-01-04 14:13]
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\Windows\system32\drivers\pctmp.sys [2008-01-04 14:13]
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\Windows\system32\drivers\pctssipc.sys [2008-01-04 14:13]
R2 QBIOSIO;QBIOSIo.dll;C:\Windows\system32\QBIOSIo.dl l [2007-01-19 16:02]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R3 ARCSOFTVIRTUALCAPTURE;ArcSoft Magic-i Driver;C:\Windows\system32\DRIVERS\ArcSoftVirtualC apture.sys [2006-11-24 09:53]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-01-23 08:25]
R3 SNP2UVC;USB2.0 PC Camera (SNP2UVC);C:\Windows\system32\DRIVERS\snp2uvc.sys [2007-02-07 10:35]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-03-13 02:12]
S3 btwaudio;藍芽音效裝置;C:\Windows\system32\drivers\btwaud io.sys [2006-11-20 05:59]
S3 btwavdt;Bluetooth AVDT;C:\Windows\system32\drivers\btwavdt.sys [2006-11-20 05:59]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwr chid.sys [2006-11-20 05:59]
S3 QBIOSIO.dll;QBIOSIO.dll;C:\Windows\system32\QBIOSI O.dll [2007-01-19 16:02]
S3 QBIOSIOdetect.dll;QBIOSIOdetect.dll;C:\DRV\BT\BTCh k\QBIOSIOdetect.dll [2007-01-22 13:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{bc9495bb-b52a-11dc-8f88-806e6f6e6963}]
\shell\AutoRun\command - E:\RunGame.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{c14dc390-b530-11dc-97e4-001b24a47bc1}]
\shell\AutoRun\command - H:\autorun6e.exe
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{d0d9981d-c1cf-11dc-9764-001b24a47bc1}]
\shell\AutoRun\command - EXPLORER.EXE
\shell\explore\Command - EXPLORER.EXE
\shell\open\Command - EXPLORER.EXE
.
************************************************** ************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-17 11:24:55
Windows 6.0.6000 NTFS
掃描隱藏的程序...
掃描隱藏的進程...
掃描隱藏的檔案...
掃描完成
隱藏檔案?: 0
************************************************** ************************
.
完成時間?: 2008-02-17 11:25:44
ComboFix-quarantined-files.txt 2008-02-17 11:25:42
ComboFix2.txt 2008-02-08 16:43:22
.
2008-02-15 14:58:40 --- E O F ---

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:04, on 17/2/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16575)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BenQ\Q-MediaBar\qbar.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Unattend0000000001{C1C65770-BE5F-4D51-8681-EF44DA75AE36}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [QShot] C:\Program Files\BenQ\QShot\QShot.exe
O4 - HKLM\..\Run: [BenQSurround] C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe" /stop
O4 - HKLM\..\Run: [Unattend0000000001{DD273B8B-BEE0-4F62-83E5-9E21F47874A1}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: 九方快速啟動.lnk = C:\Windows\System32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: 傳送影像到 Bluetooth 裝置(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 傳送頁面到 Bluetooth 裝置(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C265B15-6DDB-4773-B911-665418977136}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\Windows\SYSTEM32\astsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Bonjour 服? (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 10869 bytes
  #11  
Old 02-17-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,590
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
And a few more...


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

Killall::

File::
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\sqmdata04.sqm
C:\sqmnoopt04.sqm
C:\sqmdata03.sqm
C:\sqmnoopt03.sqm
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*


__________________
  • An Australian Member of
  • and
My real name is Eddy
  #12  
Old 02-18-2008
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Hi there,

After I entered 1 on the windows of combofix and it started to load, blue screen appeared and said something like the system is terminated, then the computer restarted itself. I dont think the combofix managed to do his work because there isn't a log file being saved.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:18, on 2008-02-18
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe
C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BenQ\Q-MediaBar\qbar.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Lingoes\Translator2\Lingoes.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live 登入小幫手 - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Unattend0000000001{C1C65770-BE5F-4D51-8681-EF44DA75AE36}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [QShot] C:\Program Files\BenQ\QShot\QShot.exe
O4 - HKLM\..\Run: [BenQSurround] C:\Program Files\BenQ\BenQ Surround\BenQSurround.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Q-MediaBar] "C:\Program Files\BenQ\Q-MediaBar\QBar.exe" /stop
O4 - HKLM\..\Run: [Unattend0000000001{DD273B8B-BEE0-4F62-83E5-9E21F47874A1}] wscript.exe c:\windows\winbom.vbs
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lingoes] C:\Program Files\Lingoes\Translator2\Lingoes.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: 九方快速啟動.lnk = C:\Windows\System32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: 傳送影像到 Bluetooth 裝置(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: 傳送頁面到 Bluetooth 裝置(&B)... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C265B15-6DDB-4773-B911-665418977136}: NameServer = 192.168.0.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Advanced Software Technologies - C:\Windows\SYSTEM32\astsrv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: Bonjour 服? (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod 服務 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 11057 bytes
  #13  
Old 02-18-2008
Bronze Member
My PC
 
Join Date: Feb 2008
Location: UK
Posts: 12
PC Experience: Some Experience
simonlaihk - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
By the way, it says it cannot find '::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}' when I open the internet explorer. Then it sort of opens another browers and loads it into the homepage (well, there is like two internet explorers opened and then one disappers).
  #14  
Old 02-18-2008
Pancake's Avatar
Senior Security Analyst
  
Join Date: Jun 2006
Location: Victoria, Australia
Posts: 3,590
PC Experience: Elite PC Guru
Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page Pancake - See this Members User comments on their Profile page
Default Re: Trojan and spyware (i guess)
Can you run Combofix and post its log please.


__________________
  • An Australian Member of
  • and
My real name is Eddy

Reply
Satellite TV on your PC - over 3000 Channels! Click Here!
Page 2 of 3 < 1 2 3 >

Bookmarks